Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is in force as of the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.

As a regulation, does not generally require transposition into Irish law (regulations have ‘direct effect’), so organisations involved in data processing of any sort need to be aware the regulation addresses them directly in terms of the obligations it imposes. The GDPR emphasises transparency, security and accountability by data controllers and processors, while at the same time standardising and strengthening the right of European citizens to data privacy.

Raising awareness among organisations and the public of the new law will be a combined effort of the Data Protection Commission (DPC), the Government, practitioners, and industry and professional representative bodies. The DPC has been proactively undertaking a wide range of initiatives to build awareness of the GDPR, in particular providing guidance to help organisations prepare for the new law which is in force as of 25th May 2018.

The DPC is also an active participant in the European Data Protection Board (EDPB), which replaced the Article 29 Working Party (WP29). The EDPB comprises representatives from each EU member state’s supervisory authority. The role of the EDPB will be to ensure the consistency of the application of the GDPR throughout the European Union by issuing guidelines, opinions and decisions

 

Guidance

The DPC has launched a GDPR-specific website www.GDPRandYou.ie with guidance to help individuals and organisations become more aware of their enhanced rights and responsibilities under the General Data Protection Regulation.  

The DPC has also prepared an introductory document for organisations to help them as they transition to GDPR: “The GDPR and You”. This document lists 12 steps which organisations should take in order to be GDPR. It should be noted that the guide is not an exhaustive list and organisations should ensure that their preparations take account of all actions required to bring them into compliance with the new law.

For guidance on whether your organisation needs to appoint a Data Protection Officer, and how to ensure that your DPO is adequately resourced for the role, see the DPC’s Guidance on appropriate Qualifications for Data Protection Officers (GDPR).

Awareness Activities

Information about the DPC’s awareness raising activities and outreach engagements over the coming months can be found at GDPR Awareness Raising Activities.

On the 23rd January, 2018 the DataProtection Commission's office, in association with the Centre for Information Policy Leadership (CIPL) held a workshop for SMEs and Public Sector entities on "How Organisaitons cna deliver Accountability under GDPR. For further information on the event, please click here

EU Article 29 Working Party

The Article 29 Working Party has issued guidelines in draft status on the following subjects:

In 2017 this Office initiated a consultation period to inform the Article 29 Working Party preparation of guidance on the interpretation and application of key provisions of the GDPR. This office accepted submissions from interested individuals and organisations on the following key concepts:

  • Consent
  • Profiling
  • Personal data breach notifications
  • Certification

For further information, see here.